detect-ttl.c

Go to the documentation of this file.

/* Copyright (C) 2007-2020 Open Information Security Foundation
 *
 * You can copy, redistribute or modify this Program under the terms of
 * the GNU General Public License version 2 as published by the Free
 * Software Foundation.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * version 2 along with this program; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
 * 02110-1301, USA.
 */
 
/**
 * \file
 *
 * \author Gurvinder Singh <gurvindersighdahiya@gmail.com>
 * \author Victor Julien <victor@inliniac.net>
 *
 * Implements the ttl keyword including prefilter support.
 */
 
#include "suricata-common.h"
#include "stream-tcp.h"
 
#include "detect.h"
#include "detect-parse.h"
#include "detect-engine-prefilter-common.h"
 
#include "detect-ttl.h"
#include "util-debug.h"
#include "util-byte.h"
 
/**
 * \brief Regex for parsing our ttl options
 */
#define PARSE_REGEX  "^\\s*([0-9]*)?\\s*([<>=-]+)?\\s*([0-9]+)?\\s*$"
 
static DetectParseRegex parse_regex;
 
/* prototypes */
static int DetectTtlMatch (DetectEngineThreadCtx *, Packet *,
        const Signature *, const SigMatchCtx *);
static int DetectTtlSetup (DetectEngineCtx *, Signature *, const char *);
void DetectTtlFree (DetectEngineCtx *, void *);
#ifdef UNITTESTS
void DetectTtlRegisterTests (void);
#endif
static int PrefilterSetupTtl(DetectEngineCtx *de_ctx, SigGroupHead *sgh);
static bool PrefilterTtlIsPrefilterable(const Signature *s);
 
/**
 * \brief Registration function for ttl: keyword
 */
 
void DetectTtlRegister(void)
{
    sigmatch_table[DETECT_TTL].name = "ttl";
    sigmatch_table[DETECT_TTL].desc = "check for a specific IP time-to-live value";
    sigmatch_table[DETECT_TTL].url = "/rules/header-keywords.html#ttl";
    sigmatch_table[DETECT_TTL].Match = DetectTtlMatch;
    sigmatch_table[DETECT_TTL].Setup = DetectTtlSetup;
    sigmatch_table[DETECT_TTL].Free = DetectTtlFree;
#ifdef UNITTESTS
    sigmatch_table[DETECT_TTL].RegisterTests = DetectTtlRegisterTests;
#endif
    sigmatch_table[DETECT_TTL].SupportsPrefilter = PrefilterTtlIsPrefilterable;
    sigmatch_table[DETECT_TTL].SetupPrefilter = PrefilterSetupTtl;
 
    DetectSetupParseRegexes(PARSE_REGEX, &parse_regex);
    return;
}
 
static inline int TtlMatch(const uint8_t pttl, const uint8_t mode,
                           const uint8_t dttl1, const uint8_t dttl2)
{
    if (mode == DETECT_TTL_EQ && pttl == dttl1)
        return 1;
    else if (mode == DETECT_TTL_LT && pttl < dttl1)
        return 1;
    else if (mode == DETECT_TTL_GT && pttl > dttl1)
        return 1;
    else if (mode == DETECT_TTL_RA && (pttl > dttl1 && pttl < dttl2))
        return 1;
 
    return 0;
}
 
/**
 * \brief This function is used to match TTL rule option on a packet with
 *        those passed via ttl
 *
 * \param t pointer to thread vars
 * \param det_ctx pointer to the pattern matcher thread
 * \param p pointer to the current packet
 * \param m pointer to the sigmatch that we will cast into DetectTtlData
 *
 * \retval 0 no match
 * \retval 1 match
 */
static int DetectTtlMatch (DetectEngineThreadCtx *det_ctx, Packet *p,
        const Signature *s, const SigMatchCtx *ctx)
{
    if (PKT_IS_PSEUDOPKT(p))
        return 0;
 
    uint8_t pttl;
    if (PKT_IS_IPV4(p)) {
        pttl = IPV4_GET_IPTTL(p);
    } else if (PKT_IS_IPV6(p)) {
        pttl = IPV6_GET_HLIM(p);
    } else {
        SCLogDebug("Packet is of not IPv4 or IPv6");
        return 0;
    }
 
    const DetectTtlData *ttld = (const DetectTtlData *)ctx;
    return TtlMatch(pttl, ttld->mode, ttld->ttl1, ttld->ttl2);
}
 
/**
 * \brief This function is used to parse ttl options passed via ttl: keyword
 *
 * \param ttlstr Pointer to the user provided ttl options
 *
 * \retval ttld pointer to DetectTtlData on success
 * \retval NULL on failure
 */
 
static DetectTtlData *DetectTtlParse (const char *ttlstr)
{
    size_t pcre2len;
    char arg1[6] = "";
    char arg2[6] = "";
    char arg3[6] = "";
 
    int ret = DetectParsePcreExec(&parse_regex, ttlstr, 0, 0);
    if (ret < 2 || ret > 4) {
        SCLogError(SC_ERR_PCRE_MATCH, "parse error, ret %" PRId32 "", ret);
        return NULL;
    }
 
    pcre2len = sizeof(arg1);
    int res = pcre2_substring_copy_bynumber(parse_regex.match, 1, (PCRE2_UCHAR8 *)arg1, &pcre2len);
    if (res < 0) {
        SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre2_substring_copy_bynumber failed");
        return NULL;
    }
    SCLogDebug("arg1 \"%s\"", arg1);
 
    if (ret >= 3) {
        pcre2len = sizeof(arg2);
        res = pcre2_substring_copy_bynumber(parse_regex.match, 2, (PCRE2_UCHAR8 *)arg2, &pcre2len);
        if (res < 0) {
            SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre2_substring_copy_bynumber failed");
            return NULL;
        }
        SCLogDebug("arg2 \"%s\"", arg2);
 
        if (ret >= 4) {
            pcre2len = sizeof(arg3);
            res = pcre2_substring_copy_bynumber(
                    parse_regex.match, 3, (PCRE2_UCHAR8 *)arg3, &pcre2len);
            if (res < 0) {
                SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre2_substring_copy_bynumber failed");
                return NULL;
            }
            SCLogDebug("arg3 \"%s\"", arg3);
        }
    }
 
    uint8_t ttl1 = 0;
    uint8_t ttl2 = 0;
    int mode = 0;
 
    if (strlen(arg2) > 0) {
        switch (arg2[0]) {
            case '<':
                if (strlen(arg3) == 0)
                    return NULL;
 
                mode = DETECT_TTL_LT;
                if (StringParseUint8(&ttl1, 10, 0, (const char *)arg3) < 0) {
                    SCLogError(SC_ERR_INVALID_SIGNATURE, "Invalid first ttl "
                               "value: \"%s\"", arg3);
                    return NULL;
                }
                SCLogDebug("ttl is %d",ttl1);
                if (strlen(arg1) > 0)
                    return NULL;
 
                break;
            case '>':
                if (strlen(arg3) == 0)
                    return NULL;
 
                mode = DETECT_TTL_GT;
                if (StringParseUint8(&ttl1, 10, 0, (const char *)arg3) < 0) {
                    SCLogError(SC_ERR_INVALID_SIGNATURE, "Invalid first ttl "
                               "value: \"%s\"", arg3);
                    return NULL;
                }
                SCLogDebug("ttl is %d",ttl1);
                if (strlen(arg1) > 0)
                    return NULL;
 
                break;
            case '-':
                if (strlen(arg1) == 0 || strlen(arg3) == 0)
                    return NULL;
 
                mode = DETECT_TTL_RA;
 
                if (StringParseUint8(&ttl1, 10, 0, (const char *)arg1) < 0) {
                    SCLogError(SC_ERR_INVALID_SIGNATURE, "Invalid first ttl "
                               "value: \"%s\"", arg1);
                    return NULL;
                }
                if (StringParseUint8(&ttl2, 10, 0, (const char *)arg3) < 0) {
                    SCLogError(SC_ERR_INVALID_SIGNATURE, "Invalid second ttl "
                               "value: \"%s\"", arg3);
                    return NULL;
                }
                SCLogDebug("ttl is %d to %d",ttl1, ttl2);
                if (ttl1 >= ttl2) {
                    SCLogError(SC_ERR_INVALID_SIGNATURE, "invalid ttl range");
                    return NULL;
                }
                break;
            default:
                mode = DETECT_TTL_EQ;
 
                if ((strlen(arg2) > 0) ||
                    (strlen(arg3) > 0) ||
                    (strlen(arg1) == 0))
                    return NULL;
                if (StringParseUint8(&ttl1, 10, 0, (const char *)arg1) < 0) {
                    SCLogError(SC_ERR_INVALID_SIGNATURE, "Invalid first ttl "
                               "value: \"%s\"", arg1);
                    return NULL;
                }
                break;
        }
    } else {
        mode = DETECT_TTL_EQ;
 
        if ((strlen(arg3) > 0) ||
            (strlen(arg1) == 0))
            return NULL;
        if (StringParseUint8(&ttl1, 10, 0, (const char *)arg1) < 0) {
            SCLogError(SC_ERR_INVALID_SIGNATURE, "Invalid first ttl "
                        "value: \"%s\"", arg1);
            return NULL;
        }
    }
 
    DetectTtlData *ttld = SCMalloc(sizeof(DetectTtlData));
    if (unlikely(ttld == NULL))
        return NULL;
    ttld->ttl1 = (uint8_t)ttl1;
    ttld->ttl2 = (uint8_t)ttl2;
    ttld->mode = mode;
 
    return ttld;
}
 
/**
 * \brief this function is used to attld the parsed ttl data into the current signature
 *
 * \param de_ctx pointer to the Detection Engine Context
 * \param s pointer to the Current Signature
 * \param ttlstr pointer to the user provided ttl options
 *
 * \retval 0 on Success
 * \retval -1 on Failure
 */
static int DetectTtlSetup (DetectEngineCtx *de_ctx, Signature *s, const char *ttlstr)
{
    DetectTtlData *ttld = DetectTtlParse(ttlstr);
    if (ttld == NULL)
        return -1;
 
    SigMatch *sm = SigMatchAlloc();
    if (sm == NULL) {
        DetectTtlFree(de_ctx, ttld);
        return -1;
    }
 
    sm->type = DETECT_TTL;
    sm->ctx = (SigMatchCtx *)ttld;
 
    SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_MATCH);
    s->flags |= SIG_FLAG_REQUIRE_PACKET;
    return 0;
}
 
/**
 * \brief this function will free memory associated with DetectTtlData
 *
 * \param ptr pointer to DetectTtlData
 */
void DetectTtlFree(DetectEngineCtx *de_ctx, void *ptr)
{
    DetectTtlData *ttld = (DetectTtlData *)ptr;
    SCFree(ttld);
}
 
/* prefilter code */
 
static void
PrefilterPacketTtlMatch(DetectEngineThreadCtx *det_ctx, Packet *p, const void *pectx)
{
    if (PKT_IS_PSEUDOPKT(p)) {
        SCReturn;
    }
 
    uint8_t pttl;
    if (PKT_IS_IPV4(p)) {
        pttl = IPV4_GET_IPTTL(p);
    } else if (PKT_IS_IPV6(p)) {
        pttl = IPV6_GET_HLIM(p);
    } else {
        SCLogDebug("Packet is of not IPv4 or IPv6");
        return;
    }
 
    const PrefilterPacketHeaderCtx *ctx = pectx;
    if (!PrefilterPacketHeaderExtraMatch(ctx, p))
        return;
 
    if (TtlMatch(pttl, ctx->v1.u8[0], ctx->v1.u8[1], ctx->v1.u8[2]))
    {
        SCLogDebug("packet matches ttl/hl %u", pttl);
        PrefilterAddSids(&det_ctx->pmq, ctx->sigs_array, ctx->sigs_cnt);
    }
}
 
static void
PrefilterPacketTtlSet(PrefilterPacketHeaderValue *v, void *smctx)
{
    const DetectTtlData *a = smctx;
    v->u8[0] = a->mode;
    v->u8[1] = a->ttl1;
    v->u8[2] = a->ttl2;
}
 
static bool
PrefilterPacketTtlCompare(PrefilterPacketHeaderValue v, void *smctx)
{
    const DetectTtlData *a = smctx;
    if (v.u8[0] == a->mode &&
        v.u8[1] == a->ttl1 &&
        v.u8[2] == a->ttl2)
        return true;
    return false;
}
 
static int PrefilterSetupTtl(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
{
    return PrefilterSetupPacketHeader(de_ctx, sgh, DETECT_TTL,
            PrefilterPacketTtlSet,
            PrefilterPacketTtlCompare,
            PrefilterPacketTtlMatch);
}
 
static bool PrefilterTtlIsPrefilterable(const Signature *s)
{
    const SigMatch *sm;
    for (sm = s->init_data->smlists[DETECT_SM_LIST_MATCH] ; sm != NULL; sm = sm->next) {
        switch (sm->type) {
            case DETECT_TTL:
                return true;
        }
    }
    return false;
}
 
#ifdef UNITTESTS
#include "tests/detect-ttl.c"
#endif